From the oss-security posting at $URL: ----- Original Message ----- > Hello, > our maintainer found the following patches: > ----------- > I was doing some maintainance on bsdtar package and noticed that there > was a buffer overflow fix upstream, see > http://code.google.com/p/libarchive/source/detail?r=3158&path=/trunk/libarchive/archive_read_support_format_iso9660.c Use CVE-2011-1777 > > Also SUSE package does not include the > http://pkgs.fedoraproject.org/gitweb/?p=libarchive.git;a=blob_plain;f=libarchive-2.8.4-iso9660-data-types.patch;hb=HEAD > patch which seems to be security sensitive also. I'm not sure I'd call this one security. It's a crash only from what I can see: https://code.google.com/p/libarchive/source/detail?r=1984&path=/trunk/libarchive/archive_read_support_format_iso9660.c It's just silly input to a format string. If you want one I'll assign it though. > More overflow fixes: > > http://code.google.com/p/libarchive/source/detail?r=2842 This one needs a 2010 ID. Use CVE-2010-4666 > http://code.google.com/p/libarchive/source/detail?r=3160 Use CVE-2011-1778 > > Use-after-free fix (not sure if exploitable): > > http://code.google.com/p/libarchive/source/detail?r=3038 I'm going to give this an ID, I'd rather have it revoked than not assigned. Use CVE-2011-1779
Poking the rest of upstream (specifically the lead kientzle) about this... haven't seen any notification on that end. Doubt it, but checking into a release being cut for it also; extracting the patches out is potential, but may require tweaking (2.8.4 is near a year old now).
According to [1] libarchive 2.8.5 fixes this hole. The current Gentoo stable is 2.8.4-r1. Can we stabilize 2.8.5? [1] http://securitytracker.com/id/1026365
(In reply to comment #2) > According to [1] libarchive 2.8.5 fixes this hole. > The current Gentoo stable is 2.8.4-r1. Can we stabilize 2.8.5? > > > [1] http://securitytracker.com/id/1026365 sure
Arches, please test and mark stable: =app-arch/libarchive-2.8.5 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
amd64 stable
Stable on alpha.
ppc/ppc64 done
Stable for HPPA.
arm stable
Archtested on x86: Everything fine
x86 done. thanks JD
ia64/s390/sh/sparc stable
Thanks, everyone. GLSA request filed.
CVE-2011-1779 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1779): Multiple use-after-free vulnerabilities in libarchive 2.8.4 and 2.8.5 allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted (1) TAR archive or (2) ISO9660 image. CVE-2011-1778 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1778): Buffer overflow in libarchive through 2.8.5 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted TAR archive. CVE-2011-1777 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1777): Multiple buffer overflows in the (1) heap_add_entry and (2) relocate_dir functions in archive_read_support_format_iso9660.c in libarchive through 2.8.5 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted ISO9660 image. CVE-2010-4666 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4666): Buffer overflow in libarchive 3.0 pre-release code allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted CAB file, which is not properly handled during the reading of Huffman code data within LZX compressed data.
This issue was resolved and addressed in GLSA 201406-02 at http://security.gentoo.org/glsa/glsa-201406-02.xml by GLSA coordinator Sean Amoss (ackle).